Phishing is, by far, the greatest threat to your privacy. More importantly, phishing is constantly evolving and changing, and it is your responsibility to do your research and remain informed. Want to know how you can avoid phishing? Read more below!
I’ve been involved with computers professionally for over 30 years with the last 6 in the role of a Cyber Security Analyst.
Phishing, in its various forms, is by far the greatest threat to your privacy. This article is meant to be a brief introduction to what steps you can take to prevent becoming a victim of a phishing scam.
Before I get into how to protect yourself against phishing, I think it’s important to know what exactly phishing is and the different forms it takes.
WHAT IS PHISHING?
- Much like a fisherman casts his line in the water with bait hoping to catch a fish, phishing uses “bait” in an attempt to reel in you and/or your organization’s private information.
- Adversaries will craft or spoof emails, social media accounts, wi-fi hotspots and websites that appear genuine in order to fool their targets into giving up the sensitive information they’re after.
WHAT INFORMATION ARE THE ADVERSARIES AFTER?
- Bank account information
- PINs
- System Login usernames and passwords
- SSNs
- Security question answers such as your Mother’s maiden name, what school did you go to, where were you born, etc.
- Physical addresses and phone numbers
HOW CAN WE PROTECT OURSELVES FROM SUCH NEFARIOUS ACTIVITY?
- First and foremost, be vigilant. Even some of the most cyber security aware individuals have been phished. All it takes is one mistake and you could have a potential breach.
- Email is probably the most common means of compromise, but there are usually clues to indicate one may not be legitimate.
Was the email unsolicited?
If you receive an unsolicited email, the best course of action is to delete it. Only respond to emails you have requested or are from sources you legitimately deal with. If there is an attachment, do not download or open it. Spam filters are useful, but they aren’t foolproof.
Is it poorly written and/or have grammatical errors?
Poorly written emails and those that contain improper English are a good indication of them being phishing attempts. Any email that starts with “Dear Customer” should immediately make you suspicious.
Does the sender address look legitimate? If it’s a US-based bank, would their domain end with .it or .au for example?
Use common sense. A Bank of America or USAA email would come from a legitimate source. If you’re not 100% sure if the source is genuine, don’t click on a link or an attachment in an email. Instead go directly to the authentic website for service.
If you have html enabled email (not recommended), when you rollover a link does it reveal what it plans to resolve to?
Best practice is to use text only. If you are sure the link is legitimate, you can copy/past it into a web browser. Adversaries will make their links look legitimate but when you roll your mouse over the hyperlink, it will show the actual web address. Adversaries have gotten very good at cloning legitimate websites and hosting them elsewhere in an attempt to fool the end user.
Does the email ask for you to respond with or enter personal information?
It’s not a good idea to respond with any personal information via email and never enter such information in popup windows. If you’re unsure of the source, call the bank or institution to see if they sent you the email.
Is your profile secure?
Make sure you go into the settings of the social media programs you use and lock down your information. Most times these are not secured by default. Adversaries will use your publicly shared information on these sites to target you in future phishing attempts.
Are you getting friend requests from strangers?
Again, make sure your settings are private. Never make your private information public on these services.
Are your friends saying they’re getting odd messages from you?
Perhaps your account has been compromised. Immediately change your password.
- Illegitimate websites are a serious problem.
You’re buying new shoes on a website. Does it use https and not just http? If it’s not using https (Encrypted or Secure), do not buy from them. Either they are not security conscious or they’ve been spoofed, and you’re not really on their site, but a replica controlled by an adversary.
- There are now plugins to help protect you from phishing websites. Anti-phishing toolbars are available for free, and they will conduct a check against known bad websites whenever you visit a site.
- Make sure you regularly update your browsers. Internet Explorer, Google Chrome, Mozilla Firefox and others will release patches for their products as vulnerabilities are discovered.
- Use a firewall.
Both desktop and network firewalls can help prevent phishing. Most likely, your company will have employed a network firewall, but a local desktop firewall is recommended.
- Check any accounts where your personal information is stored regularly.
Bank sites, shopping sites, and utility sites all likely have your credit/debit card information. Check them regularly to be sure there’s no irregular activity.
- Change your passwords to something unique. Use a combination of alphanumeric and symbols for complexity.
- Use Antivirus software and keep it up to date.
Malicious files are capable of automatically redirecting to phishing sites and compromising your personal information. Ransomware has been in the news a lot lately. This is typically received via phishing email or an infected website. Your computer files will be encrypted and inaccessible until a ransom is paid to the adversary.
- Finally, be very careful when accessing public wi-fi hotspots.
If you’re at a hotel, coffee shop, restaurant, airport, etc., be very careful. Adversaries will setup what appear to be legitimate hotspots but are actually rogue access points where they can steal your credentials.
For example: You’re at a popular coffee shop and see “Starbacks Free” is available to connect. It’s designed to fool you. Always be certain what the actual broadcast name of a business’ hotspot is before connecting (preferably using a password). Otherwise, you could be sharing everything on your device without you even knowing.
The World Wide Web can be a dangerous place. Keep your wits about you as you travel the information super-highway (old school).
The key points you should take away from this article:
- Stay vigilant.
- Never click on links or attachments.
- Secure your social media accounts.
- Use strong/complex passwords.
- Use Firewalls and updated Antivirus software.
- Regularly check your banking and shopping accounts.
- Check the legitimacy of wi-fi hotspots before connecting.
Phishing is not a new phenomenon. There are many excellent and in depth articles written about the subject. Here are a few I recommend for more detailed information:
https://krebsonsecurity.com/tag/phishing/
https://www.uscybersecurity.net/email-phishing/
https://www.phishing.org/10-ways-to-avoid-phishing-scams
https://www.pcmag.com/article/364947/how-to-avoid-phishing-scams
And here’s a really cool poster you can download about phishing. Keep in mind this is a quid pro quo. You’ll be giving your personal information to this company in exchange for the poster:
Image Source (BizTech-PhishingSMB): Biz Tech
Image Source (Phishing): Think Stock